HAProxy ACL Rules Get Merged Incorrectly?



  • I'm trying to build out the config on this blog (http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate), but it appears that the acl rules getting generated from the GUI do not match his configuration.

    I don't have my generated configuration handy (will post later today), but it appears that when you build the handful of acl rules on each of the shared frontends and use the 'NOT' option, the merged ruleset treats the entire ACL as 'NOT' rather than individual ACL rules.

    Specifically the sections that seem to be applied incorrectly are in this section of his tutorial:

    Name: WAN_443_HTTPS
    Description: HTTPS
    Shared Frontend: Yes
    Primary Frontend: WAN_443
    Backend Server Pool: WAN_HTTPS
    Access Control lists:
    
    NAME=acl EXPR=Custom NOT=no VALUE=req.ssl_hello_type 1
    NAME=acl EXPR=Custom NOT=yes VALUE=req.ssl_sni -m end -i .vpn.example.com
    NAME=acl EXPR=Custom NOT=yes VALUE=req.ssl_sni -m end -i .ssh.example.com
    
    

    Hopefully that makes sense… If I could import my own config it'd likely be no problem, as his config is published here (https://gist.github.com/jpawlowski/3f91ef9d0bba49eb0c58) and seems to make logical sense to me.

    Should I be expecting this type of behavior?

    Thanks,
    Ryan